fmt: fix ANSI escape sequence injection vulnerability (#3368)

Fixes a security vulnerability where ANSI escape sequences in user input
could be injected into terminal output, potentially allowing attackers to
manipulate terminal behavior through log messages and error displays.

The vulnerability occurred when user-controlled content was formatted using
Display (`{}`) instead of Debug (`{:?}`) formatting, allowing raw ANSI
sequences to pass through unescaped.

Changes:
- Add streaming ANSI escape wrapper to avoid string allocations
- Escape message content in default and pretty formatters
- Escape error Display content in all error formatting paths
- Add comprehensive integration tests for all formatter types

The fix specifically targets untrusted user input while preserving the
ability for applications to deliberately include formatting in trusted
contexts like thread names.

Security impact: Prevents terminal injection attacks such as title bar
manipulation, screen clearing, and other malicious terminal control
sequences that could be injected through log messages.

Author: carllerche

tracing-subscriber/CHANGELOG.md

@@ -1,3 +1,11 @@
+# 0.3.20 (August 29, 2025)
+
+[ [crates.io][crate-0.3.20] ] | [ [docs.rs][docs-0.3.20] ]
+
+### Fixed
+
+- Escape ANSI escape sequences in logs
+
 # 0.3.19 (November 29, 2024)
 
 [ [crates.io][crate-0.3.19] ] | [ [docs.rs][docs-0.3.19] ]

tracing-subscriber/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "tracing-subscriber"
-version = "0.3.19"
+version = "0.3.20"
 authors = [
     "Eliza Weisman <[email protected]>",
     "David Barsky <[email protected]>",

tracing-subscriber/src/fmt/format/escape.rs

@@ -0,0 +1,51 @@
+//! ANSI escape sequence sanitization to prevent terminal injection attacks.
+
+use std::fmt::{self, Write};
+
+/// A wrapper that implements `fmt::Debug` and `fmt::Display` and escapes ANSI sequences on-the-fly.
+/// This avoids creating intermediate strings while providing security against terminal injection.
+pub(super) struct Escape<T>(pub(super) T);
+
+/// Helper struct that escapes ANSI sequences as characters are written
+struct EscapingWriter<'a, 'b> {
+    inner: &'a mut fmt::Formatter<'b>,
+}
+
+impl<'a, 'b> fmt::Write for EscapingWriter<'a, 'b> {
+    fn write_str(&mut self, s: &str) -> fmt::Result {
+        // Stream the string character by character, escaping ANSI and C1 control sequences
+        for ch in s.chars() {
+            match ch {
+                // C0 control characters that can be used in terminal escape sequences
+                '\x1b' => self.inner.write_str("\\x1b")?,  // ESC
+                '\x07' => self.inner.write_str("\\x07")?,  // BEL
+                '\x08' => self.inner.write_str("\\x08")?,  // BS
+                '\x0c' => self.inner.write_str("\\x0c")?,  // FF
+                '\x7f' => self.inner.write_str("\\x7f")?,  // DEL
+                
+                // C1 control characters (\x80-\x9f) - 8-bit control codes
+                // These can be used as alternative escape sequences in some terminals
+                ch if ch as u32 >= 0x80 && ch as u32 <= 0x9f => {
+                    write!(self.inner, "\\u{{{:x}}}", ch as u32)?
+                },
+                
+                _ => self.inner.write_char(ch)?,
+            }
+        }
+        Ok(())
+    }
+}
+
+impl<T: fmt::Debug> fmt::Debug for Escape<T> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let mut escaping_writer = EscapingWriter { inner: f };
+        write!(escaping_writer, "{:?}", self.0)
+    }
+}
+
+impl<T: fmt::Display> fmt::Display for Escape<T> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let mut escaping_writer = EscapingWriter { inner: f };
+        write!(escaping_writer, "{}", self.0)
+    }
+}

tracing-subscriber/src/fmt/format/mod.rs

@@ -48,6 +48,10 @@ use tracing_log::NormalizeEvent;
 #[cfg(feature = "ansi")]
 use nu_ansi_term::{Color, Style};
 
+
+mod escape;
+use escape::Escape;
+
 #[cfg(feature = "json")]
 mod json;
 #[cfg(feature = "json")]
@@ -1257,15 +1261,15 @@ impl field::Visit for DefaultVisitor<'_> {
                 field,
                 &format_args!(
                     "{} {}{}{}{}",
-                    value,
+                    Escape(&format_args!("{}", value)),
                     italic.paint(field.name()),
                     italic.paint(".sources"),
                     self.writer.dimmed().paint("="),
                     ErrorSourceList(source)
                 ),
             )
         } else {
-            self.record_debug(field, &format_args!("{}", value))
+            self.record_debug(field, &format_args!("{}", Escape(&format_args!("{}", value))))
         }
     }
 
@@ -1287,7 +1291,10 @@ impl field::Visit for DefaultVisitor<'_> {
         self.maybe_pad();
 
         self.result = match name {
-            "message" => write!(self.writer, "{:?}", value),
+            "message" => {
+                // Escape ANSI characters to prevent malicious patterns (e.g., terminal injection attacks)
+                write!(self.writer, "{:?}", Escape(value))
+            },
             name if name.starts_with("r#") => write!(
                 self.writer,
                 "{}{}{:?}",
@@ -1326,7 +1333,7 @@ impl Display for ErrorSourceList<'_> {
         let mut list = f.debug_list();
         let mut curr = Some(self.0);
         while let Some(curr_err) = curr {
-            list.entry(&format_args!("{}", curr_err));
+            list.entry(&Escape(&format_args!("{}", curr_err)));
             curr = curr_err.source();
         }
         list.finish()

tracing-subscriber/src/fmt/format/pretty.rs

@@ -457,15 +457,15 @@ impl field::Visit for PrettyVisitor<'_> {
                 field,
                 &format_args!(
                     "{}, {}{}.sources{}: {}",
-                    value,
+                    Escape(&format_args!("{}", value)),
                     bold.prefix(),
                     field,
                     bold.infix(self.style),
                     ErrorSourceList(source),
                 ),
             )
         } else {
-            self.record_debug(field, &format_args!("{}", value))
+            self.record_debug(field, &Escape(&format_args!("{}", value)))
         }
     }
 
@@ -475,7 +475,10 @@ impl field::Visit for PrettyVisitor<'_> {
         }
         let bold = self.bold();
         match field.name() {
-            "message" => self.write_padded(&format_args!("{}{:?}", self.style.prefix(), value,)),
+            "message" => {
+                // Escape ANSI characters to prevent malicious patterns (e.g., terminal injection attacks)
+                self.write_padded(&format_args!("{}{:?}", self.style.prefix(), Escape(value)))
+            },
             // Skip fields that are actually log metadata that have already been handled
             #[cfg(feature = "tracing-log")]
             name if name.starts_with("log.") => self.result = Ok(()),